Unbound starts returning SERVFAIL for random domains after querying at least one or both of those hostnames. I'm doing it one more time at unbound log level 5.

This sounds like the manifestation of the issue with DNSSEC enabled. At some point, you may want to try it again with DNSSEC disabled; you should then see all domains being resolved to a hostile IP, bad certs for https, etc. like reported in the beginning of this thread. Not sure if this would help with the diagnostics.

Unbound starts returning SERVFAIL for random domains after querying at least one or both of those hostnames. I'm doing it one more time at unbound log level 5.

This sounds like the manifestation of the issue with DNSSEC enabled. At some point, you may want to try it again with DNSSEC disabled; you should then see all domains being resolved to a hostile IP, bad certs for https, etc. like reported in the beginning of this thread. Not sure if this would help with the diagnostics.

Yes, DNSSEC was the change I made that made it go from the bad domain resolutions to the failure to resolve at all.

I've had both issues and DNSSEC was the difference between which one I got.

You should be thankful you found something that made it easily-reproducible. No need to be mad. Things happen - Look at BIND's history. And you can always just run dnsmasq in the meantime even though that's the exact opposite advice you got at first. :/

These two in particular, if you don't have them enabled, enable them. I changed things to enable both those by default, and we'll add config upgrade code to turn those on for anyone who doesn't have them enabled upon upgrade to 2.2.1.

- there's also this use-caps-for-id thing (patch to expose in GUI in 4205 or stick use-caps-for-id: yes to advanced config.

Another thing that makes me wonder... dnsmasq AFAICT is not compiled with DNSSEC support at all on pfSense even though it's apparently supported now. Hmmm. And of course, no matter what you are completely screwed with unsigned domains, and the DNS protocol is a piece of insecure crap.

A couple of suggestions for your own servers:- sign your domains (ahem... why's pfsense.org not signed?!)- if your registrar does not allow you to do so, switch registrar- if the TLD you are using is not signed, choose a different one- use DANE/TLSA for your critical servers at least.

Update for our situation (only dns active, harden glue settings not (yet) updated). The situation happened again a few minutes ago, and here it is how it looked in the resolver.log (first time "csof" is visible today) :

;; ADDITIONAL SECTION:a.nic.ch. 171692 IN A 130.59.1.80a.nic.ch. 171692 IN AAAA 2001:620::4b.nic.ch. 171692 IN A 130.59.211.10b.nic.ch. 171692 IN AAAA 2001:620::5c.nic.ch. 171692 IN A 147.28.0.39c.nic.ch. 171692 IN AAAA 2001:418:1::39d.nic.ch. 171692 IN A 200.160.0.5d.nic.ch. 171692 IN AAAA 2001:12ff:0:a20::5e.nic.ch. 171692 IN A 194.0.17.1e.nic.ch. 171692 IN AAAA 2001:678:3::1f.nic.ch. 171692 IN A 194.146.106.10f.nic.ch. 171692 IN AAAA 2001:67c:1010:2::53h.nic.ch. 171692 IN A 194.42.48.120

I now increased the verbosity of unbound with "unbound-control -c /var/unbound/unbound.conf verbosity 4" and waiting for another hit... If you have other suggestions in the mean time, please feel free.